Re: [w3ctag/design-reviews] Secure Payment Confirmation - Part 2 (#675) from webpki on 2021-09-20 (public-webapps-github@w3.org from September 2021)

From: webpki <notifications@github.com>
Date: Sun, 19 Sep 2021 21:46:53 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/675/922635220@github.com>

**Editor’s Draft, 9 September 2021**:

<table><tr><td><i>
An additional benefit of this feature to Relying Parties is that they no longer need to build their own front-end experiences for authentication.   Instead, payment service providers are likely to build them on behalf of merchants.</i></td></tr></table>

The latter has a technical explanation: due to its architectural origins (3DS and WebAuthn), SPC does in practice rather _mandate outsourcing_, except for a limited set of big merchants.

The root of this requirement is that SPC _by design_ leaves everything related to payment instrument (e.g. card) discovery and selection as well as locating issuing bank, to the market to figure out, and in a provider specific way, as outlined in the draft's sample session:

<table><tr><td><i>The merchant communicates out-of-band with the issuing bank of the payment instrument (e.g., using another protocol).</i></td></td></table>

This differs from native mode mobile "wallets", which _by design_ usually have quite modest  (and unlike SPC, _documented_) requirements for merchant integration.  This is due to the fact that these applications build on a _uniform_ and _integrated_ payment experience which also makes "backend" support straightforward.  That is, these systems do not depend on OOB communication using another protocol. In fact, there is no interaction whatsoever with issuing banks during the _user's part_ of a payment authorization process.

That Relying Parties (banks) are eager outsourcing the "front-end experiences" to third parties, is not a universal truth.  Current offerings as well as high profile projects like the European Payments Initiative rather point in the opposite direction.

According to the draft, SPC is

<table><tr><td><i>...to be used within a wide range of authentication protocols</i></td></tr></table>

which does not easily translate into real-world terms, since no examples have been provided.  Given that current systems are all over the map, it seems like a pretty bold statement as well.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/675#issuecomment-922635220

Received on Monday, 20 September 2021 04:47:05 UTC